Managing Instance Access Using OS Login

You can use Compute Engine IAM roles
to manage SSH access to instances. This feature gives you more granular
control over which users can connect to your instances and what level of
permission they have. You can apply IAM roles at the project, folder, or
organization level, but not on individual resources.

Note: If your project is part of an
organization,
you can grant instance access to users who are outside of your
organization by
granting roles/compute.osLoginExternalUser
to those users at the organization level.Note: OS Login is not currently supported in Google Kubernetes Engine.
Google Kubernetes Engine cluster nodes continue to use metadata ssh keys when
OS Login is enabled.

Enabling or disabling OS Login

Before you can manage instance access using IAM roles, you must enable the
OS Login feature by setting the enable-oslogin metadata value to TRUE in
either project or instance metadata. To disable OS Login, set
the metadata value to FALSE. For example, you might enable the feature
across your entire project using enable-oslogin=TRUE at the project level,
but set enable-oslogin=FALSE on specific instances that cannot use it yet.

Users cannot see details about your instances or the external IP addresses
for those instances unless you provide those details directly to them.
To allow users to view the details of your instances, they require additional
IAM roles. For example,
roles/compute.viewer
role allows users to view all of the resources in your project, including
instance details.

To revoke user access to instances that are enabled to use OS Login, remove
the user roles from that user account. The user
still has public SSH keys associated with their account, but those keys no
longer function on your instances.

Note: Users with active SSH connections are not disconnected and retain their
sudo privileges until the next time they establish an SSH connection.
Compute Engine determines a user's authentication,
authorization, and sudo privileges only when a user establishes a
connection to an instance.

Granting instance access to users outside of your organization

By default, users outside of your organization cannot
set SSH keys for instances in your organization or be
granted access to instances in your organization. In
some situations, you might need to grant instance
access to users who are part of an different organization
or who have a consumer Google gmail.com account.

The roles/compute.osLoginExternalUser
IAM role allows external Google accounts to interact with the other
OS Login roles by allowing them to configure POSIX
account information.

You can use the gcloud command-line tool, or
the OS Login API to add SSH keys to your own
account. Alternatively, if you are a domain admin for an organization,
you can use the
Directory API,
to add SSH keys to the user account in your organization.

gcloud

The gcloud compute os-login commands are available only on
Google Cloud SDK version 184 and later.

Use the gcloud command-line tool to associate public SSH keys with an
account.

[KEY_FILE_PATH] is the path to the public SSH key on your local
workstation.

[EXPIRE_TIME] is an optional flag to set an expiration time for the
public SSH key. For example, you can specify 30m and the SSH key will
expire after 30 minutes. Valid units for this flag are s for seconds,
m for minutes, h for hours, or d for days. You can set the value
to 0 to indicate no expiration time.

[EXPIRATION_TIMESTAMP] is the expiration time for the key in
microseconds since epoch.

Directory API

If you are a domain admin for an organization, you can use the
Directory API Reference,
to add SSH keys to the account of another user in your organization.
For example, create a PUT request to the
directory.users.update method
with one or more SSH sshPublicKeys entries.

After you add your keys to your account, you can
connect to instances using third-party tools and the username associated with your account.
Your organization admin can change this username. You can find the username for
your account by running the gcloud compute os-login describe-profile
command:

[USER_NAME] is the username for establishing SSH connections. By default,
this is generated from your [ACCOUNT_EMAIL].

Modifying user accounts using the Directory API

If you are an organization admin, you can modify instance login settings
for user accounts as well as many other user properties. To learn how to
make a user an administrator, read the
Directory API guide.
You can use this API to add and remove a user's SSH keys, modify POSIX account
information, and change the username that the users connects to on the instance.